computer science 203 programming languages axiomatic semantics · pdf fileaxiomatic semantics...

42
Axiomatic Semantics 1 Computer Science 203 Programming Languages Axiomatic Semantics Cormac Flanagan University of California, Santa Cruz

Upload: hathu

Post on 09-Mar-2018

229 views

Category:

Documents


3 download

TRANSCRIPT

Axiomatic Semantics 1

Computer Science 203 Programming Languages

Axiomatic Semantics

Cormac Flanagan

University of California, Santa Cruz

Axiomatic Semantics 2

Review of Operational Semantics

•  Simple (relatively) •  Good for

–  language definition (eg IMP) –  verifying language properties (eg IMP is deterministic) –  verifying correctness of tools that manipulate programs

•  eg. interpreters, compilers, type checkers, etc

•  Awkward for verifying even simple programs •  Not compositional

Axiomatic Semantics 3

Axiomatic Semantics

•  Tackles question: Is my program correct? –  Does it satisfy its specification

•  Two parts: –  A language for writing program specifications –  Rules for establishing that a program satisfies its specification

•  Example specifications –  This program terminates. –  All array accesses are within array bounds, no null

dereferences, and no unexpected exceptions –  The method returns a sorted array –  The variables x and y are always identical whenever z is 0

•  Example specification languages –  First-order logic. –  Other logics (e.g., temporal logic).

Axiomatic Semantics 4

History

•  Program verification is almost as old as programming (e.g., “Checking a Large Routine”, Turing 1949)

•  In the late ’60s, Floyd had rules for flowcharts and Hoare for a language similar to IMP.

•  Since then, there have been axiomatic semantics for substantial languages, and many applications.

Axiomatic Semantics 5

Dijkstra Said

•  Program testing can be used to show the presence of bugs, but never to show their absence!

Axiomatic Semantics 6

Hoare Said

•  Thus the practice of proving programs would seem to lead to solution of three of the most pressing problems in software and programming, namely, reliability, documentation, and compatibility. However, program proving, certainly at present, will be difficult even for programmers of high caliber; and may be applicable only to quite simple program designs.

C.A.R Hoare, “An Axiomatic Basis for Computer Programming”,

1969

Axiomatic Semantics 7

Hoare Also Said

•  It has been found a serious problem to define these languages [ALGOL, FORTRAN, COBOL] with sufficient rigour to ensure compatibility among all implementors. Since the purpose of compatibility is to facilitate interchange of programs expressed in the language, one way to achieve this would be to insist that all implementations of the language shall “satisfy” the axioms and rules of inference which underlie proofs of the properties of programs expressed in the language, so that all predictions based on these proofs will be fulfilled, except in the event of hardware failure. In effect, this is equivalent to accepting the axioms and rules of inference as the ultimately definitive specification of the meaning of the language.

Another of the objectives of formal language definition is to assist in the design of better programming languages.

Axiomatic Semantics 8

Other Applications of Axiomatic Semantics

•  The project of defining and proving everything formally has not succeeded (at least not yet).

•  Proving has not replaced testing (and praying).

•  Some applications of axiomatic semantics: –  Documentation of programs and interfaces. –  Guidance in design and coding. –  Proving the correctness of algorithms (or finding bugs). –  Proving the correctness of hardware descriptions (or finding

bugs). –  “Extended static checking” (e.g., checking array bounds). –  Proof-carrying code.

Axiomatic Semantics 9

Assertions for IMP

•  Partial correctness assertion: {A} c {B } If A holds in state σ and there exists σ’ such that <c, σ> ⇓ σ’ then B holds in σ’.

•  Total correctness assertion: [A] c [B ] If A holds in state σ then there exists σ’ such that <c, σ> ⇓ σ’ and B holds in state σ’.

•  These are called Hoare triples. •  A is called precondition and B is called postcondition. •  Example: { y · x } z := x; z := z +1 { y < z }

Axiomatic Semantics 10

The Assertion Language

•  We re-use IMP boolean expressions as our assertion language

A,B :: = b (IMP boolean expressions)

We say σ satisfies A (written σ ² A ) if <A, σ> ⇓ true

Axiomatic Semantics 11

Semantics of Assertions

•  Now we can define formally the meaning of a partial correctness assertion.

² { A } c { B } holds if and only if 8σ2Σ. σ ² A ) [8σ’2Σ. <c,σ> ⇓ σ’ ) σ’ ² B]

•  … and the meaning of a total correctness assertion. ² [A] c [B] holds if and only if 8σ2Σ. σ ² A ) [9σ’2Σ. <c,σ> ⇓ σ’ ∧ σ’ ² B] •  ... which simplifies to

8σ2Σ. σ ² A ) [8σ’2Σ. <c,σ> ⇓ σ’ ) σ’ ² B] ∧ 8σ2Σ. σ ² A ) 9σ’2Σ. <c,σ> ⇓ σ’

Axiomatic Semantics 12

Deriving Assertions

•  Formal definition of ² { A } c { B } is difficult to use ² { A } c { B } holds if and only if 8σ2Σ. σ ² A ) [8σ’2Σ. <c,σ> ⇓ σ’ ) σ’ ² B]

–  defined in terms of the operational semantics ‒  8σ

•  So we define a symbolic technique (ie, a logic) for deriving valid triples ` {A} c { B} from other valid triples.

Axiomatic Semantics 13

Derivation Rules for Hoare Triples

•  Similarly we write ` {A} c { B} when we can derive the triple using derivation rules.

•  There is one derivation rule for each command in the language.

•  Plus, the rule of consequence:

A’ ) A ` {A} c {B} B ) B’

` {A’} c {B’}

Axiomatic Semantics 14

Derivation Rules for Hoare Logic ` {A} c { B}

•  One rule for each language construct (plus one more)

` {A} skip {A} ` {[e/x]A} x := e {A}

` {A} c1 {B} ` {B} c2 {C}

` {A} c1; c2 {C} ` {A ∧ b} c1 {B} ` {A ∧ ¬ b} c2 {B}

` {A} if b then c1 else c2 {B}

` {A Æ b} c {A}

` {A} while b do c {A Æ ¬ b} A’ ) A ` {A} c {B} B ) B’

` {A’} c {B’}

Rule of Consequence

Axiomatic Semantics 15

Hoare Rules

•  For some constructs multiple rules are possible:

•  Exercise: these rules can be derived from the previous ones using the rule of consequence.

` {A} x := e {9x0.[x0/x]A ∧ x = [x0/x]e}

A ∧ b ) I ` {I} c {A} ` A ∧ ¬ b ) B

` {A} while b do c {B}

(This was the “forward” axiom for assignment.)

Axiomatic Semantics 16

Example: Assignment

•  Assume that x does not appear in e Prove that {true} x := e { x = e } •  But

because [e/x](x = e) ´ e = [e/x]e ´ e = e

•  Assignment + consequence:

` {e = e} x := e {x = e}

true ) e = e ` {e = e} x := e {x = e} ` {true} x := e {x = e}

Axiomatic Semantics 17

The Assignment Axiom (Cont.)

•  Hoare said: “Assignment is undoubtedly the most characteristic feature of programming a digital computer, and one that most clearly distinguishes it from other branches of mathematics. It is surprising therefore that the axiom governing our reasoning about assignment is quite as simple as any to be found in elementary logic.”

•  Caveats are needed for languages with aliasing: –  If x and y are aliased then { true } x := 5 { x + y = 10} is true

Axiomatic Semantics 18

Example: Conditional

•  D1 is obtained by consequence and assignment

•  D2 is also obtained by consequence and assignment

D1 :: ` {true ∧ y >= 0} x := 1 {x > 0} D2 :: ` {true ∧ y > 0} x := y {x > 0}

` {true} if y · 0 then x := 1 else x := y {x > 0}

true ∧ y >= 0 ) 1 > 0 ` {1 > 0} x := 1 {x > 0} ` {true ∧ y >= 0} x := 1 {x > 0}

true ∧ y > 0 ) y > 0 ` {y > 0} x := y {x > 0} ` {true ∧ y > 0} x := y {x > 0}

Axiomatic Semantics 19

Example: Loop

•  We want to derive that ` {x · 0} while x · 5 do x := x + 1 { x = 6} •  We use the rule for while with invariant x · 6:

•  We finish off with consequence:

x · 6 ∧ x · 5 ) x + 1 · 6 ` {x + 1 · 6} x := x + 1 { x · 6 } ` {x · 6 Æ x · 5 } x := x + 1 {x · 6}

` {x · 6} while x · 5 do x := x + 1 { x · 6 Æ x > 5}

x · 0 ) x · 6 x · 6 Æ x > 5 ) x =6 ` {x · 6} while … { x · 6 Æ x > 5}

` {x · 0} while … {x = 6}

Axiomatic Semantics 20

Another Example

•  Verify that ` {A } while true do c { B} holds for any A, B, and c. •  We must construct a derivation tree

•  We need an additional lemma: 8A.8c. ` { A } c {true}

A ) true true Æ false ) B

` {true Æ true} c { true }

{true} while true do c {true Æ false} ` {A} while true do c { B}

Axiomatic Semantics 21

Notes on Using Hoare Rules

•  Hoare rules are mostly syntax directed.

•  There are three wrinkles: –  When to apply the rule of consequence ? –  What invariant to use for while ? –  How do you prove the implications involved in consequence ?

•  The last one involves theorem proving: –  This turns out to be doable. –  The loop invariants turn out to be the hardest problem ! (Should the programmer give them?)

Axiomatic Semantics 22

Where Do We Stand?

•  We have a language for asserting properties of programs.

•  We know when an assertion is true. •  We also have a symbolic method for deriving

assertions.

² {A} c {B} ` {A} c {B}

soundness

completeness

Axiomatic Semantics 23

Soundness of Axiomatic Semantics

•  Formal statement of soundness: If ` {A} c {B} then ² {A} c {B}. or, equivalently For all σ, if σ ² A and D :: <c, σ> ⇓ σ’ and H :: ` {A} c {B} then σ’ ² B.

–  Proof: simultaneous induction on the structure of D and H.

Axiomatic Semantics 24

Completeness of Axiomatic Semantics

•  Formal statement of completeness: If ² {A} c {B} then ` {A} c {B}. or, equivalently Suppose that, for all σ, D, σ’, if σ ² A and D :: <c, σ> ⇓ σ’ then σ’ ² B.

Then there exists H such that H :: ` {A} c {B}. –  Proof: harder, and requires an assumption that says that loop

invariants can be expressed as logical formulas.

(See slides on-line and Winskel’s book for more.)

Axiomatic Semantics 25

Weakest Preconditions (Dijkstra)

•  Assertions can be ordered:

false true )

strong weak preconditions of c that

imply that B holds on exit

weakest precondition: wp(c, B)

•  Thus: to verify {A} c {B }, we may compute wp(c, B) and prove A ) wp(c, B).

A

Axiomatic Semantics 26

Weakest Preconditions

•  Define wp(c, B) inductively on c, following Hoare rules:

wp(c1; c2, B) = wp(c1, wp(c2, B))

wp(x := e, B) = [e/x]B

wp(if E then c1 else c2, B) = E ) wp(c1, B) Æ ¬ E ) wp(c2, B)

{A} c1 {C} {C} c2 {B}

{ A } c1; c2 {B}

{ [e/x]B } x := E {B}

{A} c1 {B} {A’} c2 {B}

{ E ) A Æ ¬ E ) A’} if E then s1 else s2 {B}

Axiomatic Semantics 27

Weakest Preconditions for Loops

•  We start from the equivalence while b do c = if b then c; while b do c else skip •  Let W = wp(while b do c, B)

•  We have that W = (b ) wp(c, W) Æ ¬ b ) B)

•  But this is a recursive equation ! –  We know how to solve these… in a complete partial order. –  Least solutions may or may not exist over formulas.

Axiomatic Semantics 28

Extra material on axiomatic semantics: soundness and completeness

(covered in the lectures only as time permits)

Axiomatic Semantics 29

Hoare Rules: Assignment and References

•  When is the following Hoare triple valid? { A } *x = 5 { *x + *y = 10 }

•  A ought to be “*y = 5 or x = y”

•  The Hoare rule for assignment would give us: [5/*x](*x + *y = 10) = 5 + *y = 10 = *y = 5 (we lost one case)

•  How come the rule does not work?

Axiomatic Semantics 30

Hoare Rules: Assignment and References (Cont.)

•  To model writes correctly we use memory expressions. –  A memory write changes the value of memory

•  Important technique: •  Treat memory as a whole. •  And reason about memory expressions with rules

such as McCarthy’s:

{ B[upd(M, E1, E2)/M] } *E1 := E2 {B}

sel(upd(M, E1, E2), E3) = E2 if E1 = E3

sel(M, E3) if E1 ≠ E3

Axiomatic Semantics 31

Memory Aliasing

•  Consider again: { A } *x := 5 { *x + *y = 10 } •  We obtain: A = [upd(M, x, 5)/M] (*x + *y = 10) = [upd(M, x, 5)/M] (sel(M, x) + sel(M, y) = 10) = sel(upd(M, x, 5), x) + sel(upd(M, x, 5), y) = 10 = 5 + sel(upd(M, x, 5), y) = 10 = if x = y then 5 + 5 = 10 else 5 + sel(M, y) = 10 = x = y or *y = 5

Axiomatic Semantics 32

Mutable Records

•  Let r : RECORD f1 : T1; f2 : T2 END •  One method for handling records:

–  One “memory” for each field –  The record address is the index –  r.f1 is sel(f1,r) and r.f1 := E is f1 := upd(f1,r,E)

Axiomatic Semantics 33

Soundness of Axiomatic Semantics

•  Formal statement If ` { A } c { B} then ² { A} c { B}. or, equivalently For all σ, if σ ² A and D :: <c, σ> ⇓ σ’ and H :: ` { A } c { B} then σ’ ² B. •  How can we prove this?

–  By induction on the structure of c? •  No, problems with while and rule of consequence.

–  By induction on the structure of D? •  No, problems with rule of consequence.

–  By induction on the structure of H? •  Not quite, problems with while.

–  By simultaneous induction on the structure of D and H.

Axiomatic Semantics 34

Simultaneous Induction

•  Consider two structures D and H. –  Assume that x < y iff x is a substructure of y.

•  Define the lexicographic ordering (d, h) < (d’, h’) iff d < d’ or d = d’ and h < h’ •  This is a well-founded order and serves for a

simultaneous induction.

•  If d < d’ then h can actually be larger than h’. •  It can even be unrelated to h’.

Axiomatic Semantics 35

Soundness of the Consequence Rule

•  Case: last rule used in H :: ` { A} c { B} is the consequence rule:

•  From soundness of the first-order logic derivations we have σ ² A ) A’, hence σ ² A’

•  From IH with H1 and D we get that σ’ ² B’.

•  From soundness of the first-order logic derivations we have that σ’ ² B’ ) B, hence σ’ ² B, q.e.d.

A ) A’ H1 :: ` {A’} c {B’} ` B’ ) B

` {A} c {B}

Axiomatic Semantics 36

Soundness of the Assignment Axiom

•  Case: the last rule used in H :: ` { A } c { B} is the assignment rule

•  The last rule used in D :: <x := e, σ> ⇓ σ’ must be

•  We must prove the substitution lemma: If σ ² [e/x]B and <σ, e> ⇓ n then σ ² [n/x]B

D1 :: <e, σ > ⇓ n <x := e, σ > ⇓ σ[x := n]

` {[e/x]B} x := e {B}

Axiomatic Semantics 37

Soundness of the While Rule

•  Case: last rule used in H : ` { A } c { B} is the while rule:

•  There are two possible rules at the root of D. –  We do only the complicated case:

H1 :: ` {A Æ b} c {A}

` {A} while b do c {A Æ ¬ b}

D1 :: <b, σ> ⇓ true D2 :: <c,σ> ⇓ σ’ D3 :: <while b do c, σ’ > ⇓ σ’’

<while b do c, σ > ⇓ σ’’

Axiomatic Semantics 38

Soundness of the While Rule (Cont.)

Assume that σ ² A To show that σ’’ ² A Æ ¬ b •  By property of booleans and D1 we get σ ² b.

–  Hence σ ² A Æ b. •  By IH on H1 and D2 we get σ’ ² A. •  By IH on H and D3 we get σ’’ ² A Æ ¬ b, q.e.d.

•  Note that in the last use of IH the derivation H did not decrease.

•  See Winskel, Chapter 6.5 for a soundness proof with denotational semantics.

Axiomatic Semantics 39

Completeness of Axiomatic Semantics

•  Is it true that whenever ² {A} c {B} we can also derive ` {A} c {B} ?

•  If it isn’t then it means that there are valid properties of programs that we cannot verify with Hoare rules.

•  Good news: for our language the Hoare triples are complete.

•  Bad news: only if the underlying logic is complete (whenever ² A we also have ` A). -  This is called relative completeness. -  The underlying logic must also be expressive enough.

Axiomatic Semantics 40

A Partial Order for Assertions

•  What is the assertion that contains least information? –  true – it does not say anything about the state.

•  What is an appropriate information ordering ? A v A’ iff ² A’ ) A

•  Is this partial order complete? –  Take a chain A1 v A2 v … –  Let ÆAi be the infinite conjunction of Ai

σ ² ÆAi iff for all i we have that σ ² Ai

–  Verify that ÆAi is the least upper bound.

•  Can ÆAi be expressed in our language of assertions? –  In many cases yes (see Winskel); we’ll assume so.

Axiomatic Semantics 41

Weakest Precondition for WHILE

•  Use the fixed-point theorem F(A) = (b ) wp(c, A) Æ ¬ b ) B)

–  Verify that F is both monotone and continuous.

•  The least fixed point (i.e., the weakest fixed point) is

wp(while b do c, B) = ÆFi(true)

•  Notice that unlike for the denotational semantics of IMP, we are not working on a flat domain.

Axiomatic Semantics 42

Proof Idea for Completeness

•  Completeness of axiomatic semantics: If ² { A } c { B } then ` { A } c { B} •  Assuming that we can compute wp(c, B) with the

following properties: 1.  wp is a precondition (according to the Hoare rules) ` { wp(c, B) } c { B} 2.  wp is the weakest precondition: If ² { A } c { B} then ² A ) wp(c, B).

•  We also need that whenever ² A then ` A.

` A ) wp(c, B) ` {wp(c, B)} c {B}

` {A} c {B}